Verizon blocks Google Wallet over security concerns

Citing security concerns, Verizon Wireless is blocking the use of Google Wallet on the upcoming Galaxy Nexus smartphone running on Verizon's 4G LTE network, according to news reports.

Verizon has denied such reports, which claim that it's blocking the mobile payment application on the first Android 4.0 Ice Cream Sandwich smartphone, slated to launch in the United States this Friday for $299.99.

But Google has issued this simple statement to the contrary:

Verizon asked us not to include this functionality in the product.

Bloomberg Businessweek quoted a Verizon Wireless spokesman, Jeffrey Nelson, as saying in an email statement on Tuesday that the company is working to have "the best security and user experience."

Verizon, the largest wireless carrier in the United States, will allow the Google service "when those goals are achieved," according to Nelson's statement.

Why the ongoing negotiations? Nelson said Google Wallet is different from other mobile commerce services.

"Google Wallet does not simply access the operating system and basic hardware of our phones like thousands of other applications," he added. "Instead, in order to work as architected by Google, Google Wallet needs to be integrated into a new, secure and proprietary hardware element in our phones."

As mobile aficionados well know, Google is pinning its hopes on the Galaxy being a flagship device that will carve away at sales of the iPhone 4S.

Verizon and its wireless buddies don't necessarily share in that ambition. Verizon Wireless and its partners AT&T and T-Mobile USA have their own game plan, having invested more than $100 million in a joint venture: a competing wireless payment system called Isis, due to debut in 2012.

At first glance, the security question seems like it could well be little more than a stalling mechanism.

Google Wallet will be protected by a four-digit passcode. That's certainly not the pinnacle of safe-password heights, as Sophos's Graham Cluley has pointed out.

Cluley is, of course, right about a longer password being potentially a more secure, less easily guessed password.

But a four-digit password is also plenty more secure than a plain old plastic card. For my part, I refuse to put my signature on the back of a card, instead choosing to write in large block letters PLEASE SEE PHOTO ID.

Even that barely works; a small minority of clerks follow through with my requested compliance with two-factor authentication.

Computerworld's Matt Hamblen on Wednesday described in detail the security issue that Verizon's supposedly worried about:

What seems to be at issue is whether Verizon's security team can integrate Google Wallet into a "secure hardware element," or the system for storing private data, in phones with near field communications (NFC) technology. Google Wallet would need to work with whatever secure element Verizon and its partners in the Isis mobile payment venture are using. ...

A smartphone's secure element is usually a chip or a group of chips that bolsters security by recognizing a person's credit credentials apart from the phone's operating system, thus attaching an additional layer of proof for a transaction to go through. The secure element contains a user's personal information that allows a payment to be made, and that information is usually obtained with a cryptographic key.

This brouhaha between Google and Verizon is actually just the latest skirmish in a battle over who should control that secure element, Hamblen writes. The wireless carriers want security on a SIM chip, while smartphone and mobile operating system makers such as Google want it either on an NFC chip or embedded within a separate chip.

These questions seem to boil down to insider baseball. For the consumer, what really matters is that Google Wallet, or Isis, or any given mobile wireless payment system, is secure, not which party gets the right to control that security.

Can we pick secure four-digit passwords? Many of us can, and many of us cannot. That will never change.

Does it matter, given that payment processing players such as MasterCard will protect us from whatever password dopiness we commit on smartphones, refunding the funds we lose if and when our passwords are compromised?

My guess would be no, not really. This Verizon-Google chest-bumping seems to be more about profit and control than real security concerns.

Blogging: the art of informing while voicing an opinion. I just made up that definition. Seems pretty apt though, eh? If everybody's squeaking about a subject, it's permissible to both inform and put it into perspective, to my mind. Just furthering the conversation.

"little to do with security" also means "something to do with security". It doesn't mean "nothing to do with security". Sheeesh.

I also think there is a valid security concern here. When companies start fighting over who gets to make the big bucks it means they are concentrating on profit and not on whatever it is they were supposed to be doing. In this case a squabble over phone payment systems is likely to mean a less well thought out security implementation.

I for one think that Google is likely to do a far better job of security than the Telco's. They aren't exactly good at mobile software, just look at the way they made phones look and feel until Apple refused to change the iPhone and broke their stranglehold on phone design.

Debit & credit cards only have a 4-digit PIN, and that's plenty secure enough as long as you don't pick 1234 or suchlike. Actually my bank won't allow you to choose a sequence or all 4 digits the same anyway, no reason Google couldn't block "obvious" combinations.
btw don't you have chip & PIN cards there yet?

united states do not have chips in debit or credit cards and until forced to i do not think they ever will on their own - much cheaper to leave us open to fraud and scam us to be responsible for their refusing to use existing means to stop it

It's of course a profit issue. However I take issue with the implication that we ought not worry about proper encryption--that "Mastercard" will take care of our errors, which is the kind of mindset which denies individual responsibility for one's own security, which can only lead to additional control and domination by large business enterprises or their governments.

A similar thing happened back in 2008. Verizon restricted the GPS functionality to only certain apps on their phones i.e. they wanted to force you to use their V Navigator..when Google Maps became the standard, people were in an uproar over it, Verizon quickly updated the software to control what apps could use GPS. It will take a lawsuit probably to get them to react.

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.